Updates Sandboxie+ Release v0.6.5 / 5.47.0

bjm_

Level 9
Verified
May 17, 2015
448
Last edited:

bjm_

Level 9
Verified
May 17, 2015
448
FWIW ~
Edge users may want to stick with 0.6.0.....for now.
My Edge has issues with 0.6.5.
I'm back with 0.6.0....for now.
--
Edit:
Edge is not automatically deleted #493
https://github.com/sandboxie-plus/Sandboxie/issues/493#issue-798330084
 
Last edited:

Lenny_Fox

Level 21
Verified
Oct 1, 2019
1,068
Thx @bjm

I am using FF as newspaper reader only (with bypass paywall add-on) and had added uBO in medium mode (with only Kees1958 as blocklist). I noticed there were two versions a plus still in development (0.6.x version) and a classic 5.47.x version). I have not played with Sandboxie so I decided to download the 'classic' (assuming a 5.v version has less bugs than a 0.6 version).

It took me some time to figure out on how to create an shortcut to start firefox (which is not my default browser, I am using Edge-chromium for that). After succesfully creating the icon I browsed through the settings and changed the following settings (for firefox)

Recovery > Quick recovery - Downloads folder
Delete > Delete invocation - Automatically delete contents of sandbox
Program Start > Forced Programs - Firefox.exe
Program Stop > Leader Programs - Firefox.exe
Restrictions > Internet Access - Firefox.exe
Restrictions > Start/Run Access - group <FirefoxPrograms>
Restrictions > Drop Rights - Enabled
Resource Access > File Access > Read-Only Access - Users\Public
Resource Access > File Access > Blocked Access - D (documents drive) + M (media drive) + R (recovery drive)
Resource Access > Registry Access > Read-Only Access - \REGISTRY\USER\

Is this the way to run FF isolated?
 
Last edited:

Andy Ful

Level 70
Verified
Trusted
Content Creator
Dec 23, 2014
5,902
Thx @bjm

I am using FF as newspaper reader only (with bypass paywall add-on) and had added uBO in medium mode (with only Kees1958 as blocklist). I noticed there were two versions a plus still in development (0.6.x version) and a classic 5.47.x version). I have not played with Sandboxie so I decided to download the 'classic' (assuming a 5.v version has less bugs than a 0.6 version).

It took me some time to figure out on how to create an shortcut to start firefox (which is not my default browser, I am using Edge-chromium for that). After succesfully creating the icon I browsed through the settings and changed the following settings (for firefox)

Recovery > Quick recovery - Downloads folder
Delete > Delete invocation - Automatically delete contents of sandbox
Program Start > Forced Programs - Firefox.exe
Program Stop > Leader Programs - Firefox.exe
Restrictions > Internet Access - Firefox.exe
Restrictions > Start/Run Access - group <FirefoxPrograms>
Restrictions > Drop Rights - Enabled
Resource Access > File Access > Read-Only Access - Windows + Program Files + Program Files (x86) + ProgramData
Resource Access > File Access > Blocked Access - Users\Public + D (documents drive) + M (media drive) + R (recovery drive)
Resource Access > Registry Access > Read-Only Access - \REGISTRY\

Is this the way to run FF isolated?
Not exactly. If something can escape from Firefox, then it can still have read access to important resources:
  1. Windows Registry.
  2. Almost all folders on the system disk.
  3. USB drives with not protected drive letters (E, F, G, etc.)
So, the isolation is approximate.
You can harden your sandbox by allowing only Firefox processes, but then some extensions can fail.
 

Lenny_Fox

Level 21
Verified
Oct 1, 2019
1,068
Not exactly. If something can escape from Firefox, then it can still have read access to important resources:
  1. Windows Registry.
  2. Almost all folders on the system disk.
  3. USB drives with not protected drive letters (E, F, G, etc.)
So, the isolation is approximate.
You can harden your sandbox by allowing only Firefox processes, but then some extensions can fail.
I understand what you are telling, software sandboxes running in same (virtual) machine are allways approximate, but . . .

1. Firefox runs with dropped rights (so should not be able to change UAC protected objects)
2. Applied read-only restrictions for Firefox in the sandbox (registry USER & User/Public)
3. Start/run access restrictions are for firefox already applied
4. Firefox is only program allowed outbound internet
5. Firefox has uBlockOrigin Added blocking third-party scripts and frames

I only use Firefox for reading online news papers (Edge chromium is default browser), so approximate is good enough
 
Last edited:

Andy Ful

Level 70
Verified
Trusted
Content Creator
Dec 23, 2014
5,902
I understand what you are telling, software sandboxes running in same (virtual) machine are allways approximat, but . . .

1. Applied restrictions for all programs in the sandbox (registry and UAC folders are read only)
2. Start/run access restrictions are for firefox were already applied (

so unless escape uses vulnability in firefox and sandboxie all other programs should be isolated. Sincd I have not won the lottery, I don't expect to be so unlucky to be the victim of a double fail.
Yes. Simply, the Sandboxie isolation cannot be compared to the isolation in the Virtual Machine or Application Guard for Edge. Also, the Firefox processes in the Sandbox are not protected so well against the unsandboxed processes (by default the sandboxed system processes have additional protection).

Edit.
A more probable (but still rare) scenario can be escaping from the web browser due to the hidden incompatibility of Sandboxie with the updated web browser. Another problem can be Sandboxie incompatibility with updated Windows (Sandboxie will fail).
 
Last edited:

Lenny_Fox

Level 21
Verified
Oct 1, 2019
1,068
Yes. Simply, the Sandboxie isolation cannot be compared to the isolation in the Virtual Machine or Application Guard for Edge. Also, the Firefox processes in the Sandbox are not protected so well against the unsandboxed processes (by default the sandboxed system processes have additional protection).

Edit.
A more probable (but still rare) scenario can be escaping from the web browser due to the hidden incompatibility of Sandboxie with the updated web browser. Another problem can be Sandboxie incompatibility with updated Windows (Sandboxie will fail).
Thanks, i use Edge-chromium with WD Application Guard and ExploitGuard Protection (only allow Microsoft Signed DLL's) for surfing.

Edit:
The only interface between Edge WDAG and Edge in strict mode is the clipboard (set in GPO) for copying links and text when writing content for the websites I maintain (mainly pubs and restaurants). For the pubs it is really hard to create interesting content, because of the lockdown.
 
Last edited:
Top